P2P advanced troubleshooting guide

for ISP and wide network operators

 Introduction
What is this guide?
This is troubleshooting guide to P2P easy connection Dahua protocol.

To whom this guide is written?

This guide is for operators, network experts and engineer who need to troubleshoot Dahua P2P NAT traveral
protocol issues on their WAN or on their managed equipements.

To whom this guide is NOT for?

This guide is NOT people who would like to connect a simple installation to P2P.

I am not an network export and I want to make P2P working

Troubleshooting P2P is quite complex, we recommand to use Port address translation as alternative.

P2P advanced troubleshooting

Types of NAT

P2P advanced troubleshooting

 Types of NAT
Generic principle of Network Address Translation
RFC 3489
NAT Table:
192.168.1.108:8000 -> @:1000

From: 192.168.1.108:8000 To: 2.2.2.2:2000 From: 1.1.1.1:1000 To: 2.2.2.2:2000

To: 192.168.1.108:8000 From: 2.2.2.2:2000 To: 1.1.1.1:1000 From: 2.2.2.2:2000

To: 1.1.1.1:3000 From: 3.3.3.3:3000

Local IP remplaced by External (public) IP

An external random* port is opened

*except for symetric NAT

P2P advanced troubleshooting

 Types of NAT
Full cone NAT

NAT Table:
192.168.1.108:8000 -> @:1000

From: 192.168.1.108:8000 To: 2.2.2.2:2000 From: 1.1.1.1:1000 To: 2.2.2.2:2000

To: 192.168.1.108:8000 From: 2.2.2.2:2000 To: 1.1.1.1:1000 From: 2.2.2.2:2000

To: 192.168.1.108:8000 From: 2.2.2.2:3000 To: 1.1.1.1:1000 From: 2.2.2.2:3000

To: 192.168.1.108:8000 From: 3.3.3.3:3000 To: 1.1.1.1:1000 From: 3.3.3.3:3000

Any host can contact the external port

P2P advanced troubleshooting

 Types of NAT
(address) Restricted cone NAT

NAT Table:
192.168.1.108:8000 -> @:1000 (2.2.2.2)

From: 192.168.1.108:8000 To: 2.2.2.2:2000 From: 1.1.1.1:1000 To: 2.2.2.2:2000

To: 192.168.1.108:8000 From: 2.2.2.2:2000 To: 1.1.1.1:1000 From: 2.2.2.2:2000

To: 192.168.1.108:8000 From: 2.2.2.2:3000 To: 1.1.1.1:1000 From: 2.2.2.2:3000

To: 1.1.1.1:1000 From: 3.3.3.3:3000

Only the remote host can contact contact back from any of its port

P2P advanced troubleshooting

 Types of NAT
Port restricted cone NAT

NAT Table:
192.168.1.108:8000 -> @:1000 (2.2.2.2:2000)

From: 192.168.1.108:8000 To: 2.2.2.2:2000 From: 1.1.1.1:1000 To: 2.2.2.2:2000

To: 192.168.1.108:8000 From: 2.2.2.2:2000 To: 1.1.1.1:1000 From: 2.2.2.2:2000

To: 1.1.1.1:1000 From: 2.2.2.2:3000

To: 1.1.1.1:1000 From: 3.3.3.3:3000

Only the remote host can contact contact back and from the same port we sent packet

P2P advanced troubleshooting

 Types of NAT
Symmetric NAT

NAT Table:
192.168.1.108:8000 -> @:8000 (2.2.2.2:2000)

From: 192.168.1.108:8000 To: 2.2.2.2:2000 From: 1.1.1.1:8000 To: 2.2.2.2:2000

To: 192.168.1.108:8000 From: 2.2.2.2:2000 To: 1.1.1.1:8000 From: 2.2.2.2:2000

To: 1.1.1.1:8000 From: 2.2.2.2:3000

To: 1.1.1.1:8000 From: 3.3.3.3:3000

Routeur tries, if possible, to use same source port to expose on internet

Only the remote host can contact contact back and from the same port we sent packet

P2P advanced troubleshooting

Network topology detection

P2P advanced troubleshooting

 Network topology detection
Network type detection

P2P advanced troubleshooting

 Network topology detection
STUN

STUN server provides information from outside (IP address, contacted port, etc.).
STUN server is used to detect local network topology.

P2P advanced troubleshooting

 Network topology detection
TURN

TURN server is the ultimate choice (failback mode) when not option exists to connect two peers together directly.

P2P advanced troubleshooting

 Troubleshooting steps
1. Identify the topology on both sides of the network

2. Make sure there is no:

- Operator NAT (Bouygues)
- Host IPv4 sharing (Free)
- Symetric NAT (Orange)
- Port restricted NAT (Orange)

3. Perform tests from different networks (client device)

4. When possible check routeur NAT table to identify which port and which is not
5. Perform network catpure using a port mirroring and contact Dahua with network capture:
julien.blitte@dahuatech.com

P2P advanced troubleshooting

P2P alternatives

P2P advanced troubleshooting

 P2P Alternatives
(Static) Port Address Translation
PAT Table (config):
@:1000 -> 192.168.1.108:8000

NAT Table (dynamic):

...

To: 192.168.1.108:8000 From: 2.2.2.2:2000 To: 1.1.1.1:1000 From: 2.2.2.2:2000

To: 192.168.1.108:8000 From: 3.3.3.3:2300 To: 1.1.1.1:1000 From: 3.3.3.3:3000

To: 1.1.1.1:8000 From: 2.2.2.2:2000

Routeur always exposes a defined port and redirect it to same device and port
Any remote hosts that knows the port can access the device. Public IP must be fixed.
This is recommanded solution.
For security reason, external port should always be different than default device port

P2P advanced troubleshooting

 P2P Alternatives
DMZ
Configuration:
DMZ = 192.168.1.108

NAT Table (dynamic):

...

To: 192.168.1.108:1000 From: 2.2.2.2:2000 To: 1.1.1.1:1000 From: 2.2.2.2:2000

To: 192.168.1.108:8000 From: 2.2.2.2:2000 To: 1.1.1.1:8000 From: 2.2.2.2:2000

To: 192.168.1.108:4000 From: 2.2.2.2:3000 To: 1.1.1.1:4000 From: 2.2.2.2:2000

To: 192.168.1.108:5000 From: 3.3.3.3:3000 To: 1.1.1.1:5000 From: 3.3.3.3:3000

Routeur forwards all incoming requests to the same device on the network with same destination port

This configuration is a security suicide. All the ports are exposed.

P2P advanced troubleshooting

 P2P Alternatives
UPnP
UPnP Table (dynamic):
@:1000 -> 192.168.1.108:8000

NAT Table (dynamic):

...

UPnP: create PAT on port 1000 for 192.168.1.108:8000

To: 192.168.1.108:8000 From: 2.2.2.2:2000 To: 1.1.1.1:1000 From: 2.2.2.2:2000

Device detects router and provide dynamically port to forward. Public IP must be fixed.

This might be at risk (default port exposed, customer unaware)

P2P advanced troubleshooting